[2103] fix: Adds author xml escaping

[caydnn]

Adds XMLEscape extension to author name usage in {{ cookiecutter.app_name }}.xws

Partially fixes beeware/briefcase#2103

PR Checklist:

• All new features have been tested
• All new features have been documented
• I have read the CONTRIBUTING.md file
• I will abide by the code of conduct

[freakboy3742]

This does appear that it resolves the immediate issue reported by beeware/briefcase#2103; however, two notes:

1. We generally don't create a new template variable when the result can be completely derived with filters. module_name and app_name use template-pre-processing - but that's just for the default value. They can (and, under normal circumstances, will be) be independently provided as part of the template context. So - preference would be to apply the xml_escape filter wherever the variable is used, rather than remember that there's a different variable for the xml excaped author name.
2. While this literally addresses the reported bug with author name, are there any other attributes that can/should be escaped? It would appear that any variable used an attribute or as a value inside a tag should be escaped. Since we're currently looking at escaping, it makes sense to do a comprehensive pass and check every variable insertion to see if it could be problematic.

[caydnn]

Ok no worries Russell, I'll remove the new template and check for other attributes that could be escaped. :)
I sort of made this to see if I was on the right path so thanks for the feedback!

[caydnn]

1. We generally don't create a new template variable when the result can be completely derived with filters. module_name and app_name use template-pre-processing - but that's just for the default value. They can (and, under normal circumstances, will be) be independently provided as part of the template context. So - preference would be to apply the xml_escape filter wherever the variable is used, rather than remember that there's a different variable for the xml excaped author name.
2. While this literally addresses the reported bug with author name, are there any other attributes that can/should be escaped? It would appear that any variable used an attribute or as a value inside a tag should be escaped. Since we're currently looking at escaping, it makes sense to do a comprehensive pass and check every variable insertion to see if it could be problematic.

Sorry about the wait, but these points should be resolved now. I did a lot of xml_escapes where I thought would be necessary. Please let me know if I've gone too far when you get a chance :)

[freakboy3742]

Looks good; although it's probably a little too safe :-) There's a few tags (flagged inline) that can't contain unsafe XML characters by definition, so they don't need to be protected.

[freakboy3742]

Module name should be XML-safe - it has to be a Python identifier.

Suggested change

	<ComponentGroupRef Id="{{ cookiecutter.module_name|xml_escape }}_COMPONENTS" />
	<ComponentGroupRef Id="{{ cookiecutter.module_name }}_COMPONENTS" />

[freakboy3742]

I'm fairly certain email addresses can't contain any XML unsafe characters

[freakboy3742]

Module name must be XML safe - it's a Python identifier.

[freakboy3742]

Some of these are a bit enthusiastic in what they're protecting:

• bundle must be a reversed domain name, so it must be XML safe
• app_name is either a python identifier, or an identifier with _ replace with - - so it must be XML safe
• A file extension is highly unlikely to be XML safe, as is a document type ID. I guess it doesn't hurt to keep those protected, but it probably isn't needed.

[caydnn]

I've taken out extra safe escapes you've flagged Russell, hopefully this is good to go now

[freakboy3742]

👍 Awesome - nice work.

[freakboy3742]

@caydnn Also - noting that this set of change will need to be backported to the Windows app template as well.